ntlm-info
Retrieve the host information that is specified in the NTLM challenge.
This can be useful as a way to discover the names of the computers in an internal network, as an alternative to a reverse DNS query, but also to discover the name from the internal domain from hosts exposed to internet.
Currently it is possible to use the following application protocols to get an NTLM challenge:
- HTTP
- SMB
SMB Usage
Quick example, to retrieve the names for the hosts in a local network you can do:
$ ntlm-info smb 192.168.100.0/24 -w 20
Target: 192.168.100.7
NbComputer: WS02-7
NbDomain: CONTOSO
DnsComputer: ws02-7.contoso.local
DnsDomain: contoso.local
Version: 6.1.7601
OS: Windows 7 | Windows Server 2008 R2
Target: 192.168.100.10
NbComputer: WS01-10
NbDomain: CONTOSO
DnsComputer: ws01-10.contoso.local
DnsDomain: contoso.local
Version: 10.0.19041
OS: Windows 10 | Windows Server 2019 | Windows Server 2016As input for smb command, you can specify a...
- Hostname
- IP
- network CIDR
Moreover you can specify those in a file, in the parameters or stdin.
cat hosts.txt | ntlm-info smbntlm-info smb 192.168.100.10 192.168.100.7ntlm-info smb 192.168.100.0/24HTTP Usage
Quick example, to retrieve info of an http endpoint:
$ ntlm-info http http://contoso.com/
Target: 192.168.100.10
NbComputer: WS01-10
NbDomain: CONTOSO
DnsComputer: ws01-10.contoso.local
DnsDomain: contoso.local
Version: 10.0.19041
OS: Windows 10 | Windows Server 2019 | Windows Server 2016As input for http command, you can specify one or several URLs.
Moreover you can specify those in a file, in the parameters or stdin.
cat urls.txt | ntlm-info httpntlm-info http http://contoso.com/ http://company.com/owaInstallation
From crates:
cargo install ntlm-infoFrom repo:
cargo install --git https://github.com/Zer1t0/ntlm-info.gitTo build it statically in Windows (Powershell):
git clone https://github.com/Zer1t0/ntlm-info.git
cd ntlm-info/
$env:RUSTFLAGS='-C target-feature=+crt-static'
cargo build --releaseAcknowledgments
This tool was inspired by ntlm_challenger